Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Bluetooth Hack Leaves Many Smart Locks, IoT Devices Vulnerable

Researchers are sounding an alarm over the growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks.

Sławomir Jasek with research firm SecuRing is sounding an alarm over the growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks.

Jasek said the problem is traced back to devices that use the Bluetooth Low Energy (BLE) feature for access control. He said too often companies do not correctly implement the bonding and encryption protections offered in the standard. This shortcoming could allow attackers to clone BLE devices and gain unauthorized access to a physical asset when a smartphone is used as a device controller.

Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is designed to be power efficient and has been popular for transporting data between smartphones and IoT devices, smart homes, medical equipment and physical access control devices.

Jasek presented his findings last week at Black Hat USA where he also introduced a BLE proxy tool, dubbed GATTacker, for detecting the presence of and exploiting the vulnerability. GATTacker can “see” data transferred between a smartphone used as a controller and a BLE device. It can also either clone the controller or capture and manipulate data transferred between the two BLE devices when certain conditions are met.

“The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding… A surprising number of devices do not (or simply cannot – because of the use scenario) utilize these mechanisms,” said Jasek in a technical description of the vulnerability. He estimates 80 percent of those BLE smart devices are vulnerable to MitM attacks.

That data transport layer within BLE is called the Generic Attribute Profile (GATT) layer which defines the way data is transferred. “The security (like authentication) is, in fact, provided on higher ‘application’ (GATT protocol) layer of the data exchanged between the “master” (usually mobile phone) and peripheral device,” Jasek wrote.

Using GATTacker running on a Raspberry Pi computer, SecuRing is able to observe the scanning of specific broadcast signals between the “master” (for example a keyless locking system) and the controller (smartphone). The tool can clone the victim’s mobile BLE application. Next, it can forward and tamper exchanged data, acting as an intercepting proxy, Jasek explained.

“Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic – without consent of the mobile app or device,” Jasek wrote. “Common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions – which allow you to take over control of smart locks and disrupt a smart home.”

Of course there is encryption to consider when paired devices transmit data. In order to initiate secure pairing between controller and a smart lock, for example, BLE has three methods of initiating the Bluetooth transmission called Just Works, Passkey Entry and Out of Band.

According to the BLE specifications the “Just Works and Passkey Entry do not provide any passive eavesdropping protection.” Jasek explains in the case of Just Works the static PIN value used is: 000000. When a Passkey Entry PIN is used, he said, it can be brute-force cracked using the Crackle hacking tool.

According to SecuRing a significant amount of devices do not implement the aforementioned security features properly. According to the researchers, 16 out of 20 devices reviewed were misconfigured allowing a hacker to use a tool such as GATTacker to perform a MitM attack. Still other access control devices that did use the BLE unencrypted layer used their own encryption solution to protect data on top of the Just Works and Passkey Entry layer. Those implementations were not common, according to SecuRing research.

Jasek said other types of MiTM attacks can vary and are not just limited to breaking physical access controls. Using a cloned device, Jasek said, it would be possible to launch a denial-of-service attack against automated home features. In another scenario, a hacker could earn iBeacon-based customer loyalty points for visiting specific commercial stores without ever leaving their home. In another example, Jesek was able to perform a MitM attack against a point-of-sale system. In that example, even though he was not able to retrieve encrypted credit card data, he was able to spoof messages to the PoS system saying “transaction processed” or “transaction approved.”

Jasek was one of several security researchers at this month’s Black Hat and DEF CON hacker conferences to expose flaws within the BLE protocol. At DEF CON, Anthony Rose and Ben Ramsey from Merculite Security also demonstrated how insecurities in BLE could be used to crack open smart locks. At last year’s Black Hat conference researchers demonstrated similar types of hacking tools for spoofing RFID proximity card readers to break physical access controls.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.